Friday, April 25, 2014

This article is written in Englsih and Portuguese (original version here)
Este artigo está escrito em Inglês e Português (versão original aqui)

English version
Recently I was requested to implement some stored procedures on a customer site. The request was urgent and I must admit I didn't pay enough attention. The procedures needed to accept some values that would be used inside some SQL statements. Basic best practices mandate that we must check all parameters and in such cases use prepared statements. These principles provide for better interaction with the calling layer and more important, help us avoid a classic and nasty security flaw called SQL injection.
The idea behind SQL injection is terribly simple and efficient: By supplying specially crafted parameters we explore the developer's mistake of not sanitizing those parameters and blindly use them to construct SQL statements. By doing so we may be able to change the meaning of those statements or eventually terminate them and include our own. A couple of examples:

Well, after the procedures were created and some basic testing was done I had a bit more time to look at the code and I noticed I used the SQL instruction "EXECUTE IMMEDIATE..." where I was just concatenating some SQL with the provided arguments. Some of them were being slightly checked, but others were not checked at all. I was alarmed and ashamed by that piece of code and I decided to prove it was crappy... I tried to send weird parameters which included a semi-colon and a full statement following it. As an example consider something like:

As a security measure or not, EXECUTE IMMEDIATE and PREPARE, inside stored procedures don't allow the execution of more than one instruction. A reason for that can be to avoid this specific type of SQL injection exploitation. So it was a good surprise to see that the good people in R&D have thought about something that I failed to (at my first attempt). This is a good security measure. But don't get too enthusiastic.... Terminating a statement and including another on in a variable or argument is just one of the SQL injection attacks. It will be useless on the two examples above. So be aware and never do the same error I was about to do: Always check your parameters and if possible PREPARE your statements. That's the way to avoid these security issues.
For the so called "cursory" statements we can use PREPARE, DECLARE, OPEN, FETCH, CLOSE and FREE. For non-cursory statements we need to use EXECUTE IMMEDIATE. In any case, it's essential to validate all inputs!

Monday, April 21, 2014

This article is written in Englsih and Portuguese (original version here)
Este artigo está escrito em Inglês e Português (versão original aqui)

English version
IBM has the capability to do things right without anyone knowing about it. A very simple example of this is the publication of a white paper about the use of Informix on Power7 architecture.
I was aware of the existence of such a document internally, but I didn't noticed it was published.

You can find it and download it easily (doesn't happen always :) ) here:

Monday, April 14, 2014

This article is written in Englsih and Portuguese (original version here)
Este artigo está escrito em Inglês e Português (versão original aqui)

English version
IBM already announced this, at least on this post from the IBM Technical Content blog,
but I think it's appropriate to mention it here. The traditional
Infocenters, which are the standard IBM documentation online sites, will
be discontinued in a near future.
IBM has replaced all the
InfoCenters (one for each product/version) by a centralized site that
contains all the documentation for all product/versions. This new site
is the IBM Knowledge Center.

What
does it mean for us, the users? Not much... it means we'll have to
update our links, or better saying, changing several links into just one
where we can easily browse the product/versions.
But the new site
tries to improve on something that was already introduced into the
Infocenters: It will adapt to you and to your needs provided you "login"
to the site with your ibm.com user credentials.
IBM Knowledge Center will allow you to:

search more effectively

create your own bookmarks

share the content through email or social networks

export content in PDF format

add comments

provide feedback to IBM

Naturally it's expected this will also bring benefits to IBM. These may include:

Having all Infocenters in a single interface brings simplicity and easier management

The benefits of introducing a functionality will be available to all products/versions

Better customer interaction

But these will probably reflect into an improvement of customer experience while using the online documentation.
The
date for retirement of the Infocenters is yet to be announced, but I
urge you to addopt Knownledge Center. You'll notice it works faster than
Infocenters and after the initial adaptation period (to get used to the
slightly different interface) you'll notice it's better than the
previous interfaces. For detailed information, please check the Chat with the Labs webcast about this topic, available at:

This article is written in Englsih and Portuguese (original version here)
Este artigo está escrito em Inglês e Português (versão original aqui)

English version
If you have the slightest security concern, you've certainly noticed that everybody is very concerned with a security issue found on OpenSSL which was named Heart Bleed bug (a kind of joke because the bug attacks a functionality of SSL/TLS known as the Hearbeet extension). And this is perfectly justifiable. This has been considered one of the most serious security threat of the latest years. Why? Because it can be used to steal cryptographic sensitive information from sites like private keys. With these information the attackers can do all sorts of things, specifically impersonating those sites, and after that they can steal user information, passwords etc. The issue per si, is terrible, but the worst is that OpenSSL is used by many products, which means that this is not "just" a vendor specific bug.
Given the wide impact and seriousness of this issue most vendors hurried up to make sure if their products were affected or not by the bug. The OpenSSL versions affected by this bug are between 1.0.1 and 1.0.1f. Previous versions are safe (because they didn't implement the specific extension) and 1.0.1g includes the fix. So the question translate into: Do we use OpenSSL? And if yes, do we use an unsafe version?
In the immediate days after the public disclosure of this bug we received several questions from customers inquiring if our products were safe or not. And IBM hurried up to create alerts and information about this.
The relevant links are:

Monday, April 07, 2014

This article is written in English and Portuguese (original version here)
Este artigo está escrito em Inglês e Português (versão original aqui)

English version:

You know that I rarely (if ever) post any information that does not relate to Informix here. In particular I don't use the blog to promote IBM or IBM products. But I believe this event is above all that. I'm not sure if anyone can define the birth date of a system (do you consider the first announcement, the start of the project, the first sale...?), but officially IBM Mainframe turns 50 today.
That's half a century... I'd say it's impossible to find another system that can match that (age) and that is still alive... I'm sure that the vast majority of my readers never worked with/in a mainframe. But I'd bet all of you have used a service based on a Mainframe today. We tend to think it belongs to an ancient world, where no innovation takes place etc. But, although I'm totally ignorant in regards to that environment one thing I can assure you: Many, or nearly most of the things we use today in LUW came from the mainframe. And if you think that was the case, but not anymore, let me just remind you that the first implementation of the blink project was on the mainframe. Today you can use it in Informix's Warehouse Accelerator and IBM DB2 Blu. If they keep the pace, I'm sure that what we'll use tomorrow is being developed there today. Just for fun, you may want to check tomorrow's live event about the next 50 years of the Mainframe.
And to close this in a way that's not offtopic, I can also remind you that Informix runs on zLinux :)

About Me

I'm an IBMer and I've been working with IDS since I joined Informix in 1998.
The ideas and opinions expressed in this blog are personal and in no way represent IBM positions, strategy or opinions.
I chose to write this blog in English so that I could reach the maximum number of Informix users. Take notice that English is not my native language, so there are probably many mistakes.
I appreciate any comments, corrections and topic sugestions.
I can be reached at domusonline at gmail dot com.